Troubleshooting
The following sections provide solutions, workarounds, and explanations about issues that you might encounter as you deploy CCC:
Browser Issues
I'm unable to access CCC on Mozilla Firefox even after I click the Accept the risk and continue button
This issue is specific to Mozilla Firefox. You can either access CCC on Google Chrome or Microsoft Edge, or follow these steps to access CCC on Mozilla Firefox:
1.Click the Options tab from the menu on the right.
2.Click Privacy and Security option from the navigation pane on left and then scroll down to the Certificates section.
3.Click the View Certificates button and then click the Servers tab from the Security Manager window that appears on the screen.
4.Click Add Exception button at the bottom.
5.Enter the CCC path in the Add Security Exception window that appears on the screen.
6.Click the Get Certificate button and then click the Confirm Security Exception button after the certificate gets generated.
You should now be able to access CCC on Mozilla Firefox.
Installation Issues
How can I resolve the following error that I’m encountering when I run the sh install.sh –check command: "This script must be executed by root privilege"
To overcome this issue, you need to log in as the root user.
How can I resolve the following error that I’m encountering during the CCC installation: "Perl command not installed"
To resolve this issue, you need to install Perl using the following command: yum install perl.
How can I resolve the following error that I’m encountering during the CCC installation: "[Error] openssl command not installed"
To resolve this issue, you need to install OpenSSL using the following command: yum install openssl
Configuration Issues
I’m encountering an error while configuring CCC
Run the sh config.sh –debug command to see a detailed error log on your screen. Based on the error that is displayed in the error log, you can make the necessary changes and then run the sh config.sh command again. In case you are not able to resolve the issue using the error log, take a screenshot of the error log and contact Thales Customer Support.
I’m encountering the following error when I run the sh config.sh –check command: "This script must be executed by root privilege"
To resolve this issue, you need to log in as the root user.
I’m encountering the following error during the CCC configuration: "[Error] User lunadirector does not exist"
To resolve this error, you need to re-install CCC.
I’m encountering the following error during CCC configuration: "[Error] ipcalc command not installed"
To resolve this error, you need to install ipcalc using the following command: yum install initscripts.
I’m encountering the following error during CCC configuration: "[Error] JCPROV_HOME is not defined"
To resolve this error, you need to check whether lunaclient has been installed properly.
I’m encountering the following error during CCC configuration: "[Error] JCPROV libraries not found. Please make sure you have LunaClient with JCProv installed on this machine"
To resolve this error, you need to check whether lunaclient has been installed properly.
I’m encountering the following database connection error at the time of configuration: “Server chose TLSv1, but that protocol version is not enabled or supported by the client” or “Server chose TLSv1.1, but that protocol version is not enabled or supported by the client”
If you are using a CentOS 8 or RHEL 8 operating system, you may get this error at the time of CCC configuration. This is because CentOS 8 and RHEL 8 have deprecated TLSv1.0 and TLSv1.1. To overcome this issue, either upgrade database TLS version to TLSv1.2 or above, or change policy on CCC server by running the update-crypto-policies --set LEGACY command.
After re-configuring CCC, the server starts successfully but the CCC URL lands on a blank page
This can be a result of configuration mismatch between the CCC and database. During CCC configuration, if you enter “no” in response to the message “The CCC database is already configured. Do you want to change the database configuration?”, ensure that the current configuration properties of the database are aligned with the previous settings. If there is any change in database configuration, enter “yes” in response to the above-stated message and then re-configure CCC with new database settings.
Administration Issues
I'm encountering the following message while activating CCC root of trust: "System already activated"
To resolve this issue, you need to:
1.Activate the ROT again by entering the partition label and password.
2.Check the Remember credentials checkbox if you want CCC to cache your root of trust credentials.
3.Click the Activate button.
Uninstallation Issues
I’m encountering an error while uninstalling CCC
Run the sh uninstall.sh -debug command to see a detailed error log on your screen. Based on the error that is displayed in the error log, you can make the necessary changes and then run the sh uninstall.sh command again. In case you are not able to resolve the issue using the error log, take a screenshot of the error log and contact Thales Customer Support.
Operational Issues
CCC maintains multiple log files that you can view to help troubleshoot operational issues you may encounter when using CCC. The logs are saved to:
Server Logs: /usr/safenet/ccc/server/standalone/log/server.log.
Monitoring Logs: /usr/safenet/ccc/server/standalone/log/monitoring.log
Operations Logs: /usr/safenet/ccc/server/standalone/log/operations.log
NOTE We recommend that you delete any obsolete logs or move them to another location to reduce system clutter on the CCC server.
JDK Installation during CCC Server Configuration
If CCC is not successfully configured during JDK 1.8.0_171 version installation, the CCC administrator can
perform the following steps:
1.Open the picketbox module.xml file:
vi /usr/safenet/ccc/server/modules/system/layers/base/org/picketbox/main/module.xml
2. Add the following dependency into the module.xml file:
<module name="sun.jdk"/>
3.Restart the CCC service.
Keystore Password Vault Error during CCC Server Configuration
If the keystore password fails to store in vault during CCC server configuration, then the CCC administrator can perform the following steps:
1.Open the picketbox module.xml file:
vi /usr/safenet/ccc/server/modules/system/layers/base/org/picketbox/main/module.xml
2.Add the following dependency into the module.xml file:
<module name="sun.jdk"/>
3. Re-run the following CCC server configuration script with old password or new password depending on the error message:
sh config.sh
PED Connections
For devices with REST, if there is an active PED connection on the device that CCC is attempting to connect to (for example, if another session is executing "HSM login..."), the authorize request will wait until that action is done before continuing.
Root of Trust NTLS Connections
If you have connection problems with your Thales Luna Network HSM partition or root of trust, try examining the NTLS TCP keep alive setting. The root of trust terminates the NTLS connection if the connection is idle up to a set value of time, and unresponsive to a set number of transmissions. Follow the procedure to adjust these values. See the LunaSH Command Reference Guide for more information on the command, including acceptable ranges.
1.In LunaSH on your root of trust, run the following command to view the keep alive settings:
lunash:> ntls tcp_keepalive show
2.Reset any values that you determine to be too small.
lunash:>ntls tcp_keepalive set -idle <new_idle_time> -interval <new_interval_between_retries> -probes <new_number_of_retries>
3.Check that your settings were applied.
lunash:> ntls tcp_keepalive show
4.Log into your CCC web server and open a terminal.
5.Restart the CCC service.
systemctl restart ccc
Error Messages
| Error message | Cause |
|---|---|
| Operation failed on host <hostname>. Crypto User activation failed. The operation requires the PIN to be initialized. | Attempt to authorize CU when CU not initialized |
| Operation failed on host <hostname>. Resource: https://<hostname>/api/lunasa/hsms/<HSM ID>/ partitions/<partition ID> was not found | Device becomes zeroized before initializing a service |
| Operation failed on host <hostname>. Error ID: LUNA_RET_SM_TOSM_DOES_NOT_VALIDATE | Device becomes zeroized before creating a service |
| The HSM at host <hostname> is zeriozed. | Attempt to authorize device that is zeroized |
| There was a problem connecting to <hostname>. Please check that the device is online and the host address and port number are correct. | Authorize device - HSM cannot be contacted (network service stopped) |
| Operation failed on host <hostname>. Error ID: LUNA_RET_HA_USER_NOT_INITIALIZED | Create service- click Finish while in the process of initializing HSM |
| Operation failed on host <hostname>. An error happened when attempting to connect to ped server. | Authorize device – PED server stopped |
| Invalid PED server address | |
| Initialize Service – PED server stopped | |
| Initialize Service: PED server running but PED disconnected | |
| Operation failed on host <hostname>. Error ID: LUNA_RET_CB_ABORTED | PED unplugged while initializing service |
| Operation failed on host <hostname>. Error ID: LUNA_RET_LICENSE_CAPACITY_EXCEEDED | Space remains on HSM, but no more licenses available (Add PPSO Service, Init PPSO service, Init Legacy Service) |
| Operation failed on host <hostname>. Error ID: LUNA_RET_HSM_STORAGE_FULL | Create Service - HSM out of space |
| A service with this name already exists. Please specify a unique name. | Create Service with name that already exists |
| Operation failed on host <hostname>. A duplicate item already exists | If service with same name was previously detached and you try to create a new one with that name |
| Initialize Legacy Service – try to use a name that already exists | |
| Operation failed on host <hostname>. Error ID: LUNA_RET_HA_USER_NOT_INITIALIZED. | Create service when HSM cannot be contacted (webserver service stopped) |
| Operation failed on host <hostname>. Resource: https://<hostname>/api/lunasa/hsms/<HSM ID>/partitions/<partition ID> was not found |
Initialize Service when HSM cannot be contacted (webserver service stopped) |
| Operation failed on host <hostname>. Error ID: LUNA_RET_INVALID_CERTIFICATE_DATA | The user adds an HSM device whose webserver certificate is either not generated or is invalid. |
Two Factor Authentication
If you have issues with using two factor authentication with CCC server, you can use the following procedure to reproduce the two factor authentication on CCC server:
1.Create an Application Owner or Administrator User in the Accounts section of the CCC server.
2.Select Require two factor authentication radio box.
3.Log out as the current user.
4.Log in to the CCC server as the two factor Application Owner or Administrator you have created.
A QR code and a code string displays for authentication.
5.Enter the correct 6-digit OTP to go to the new password window.
NOTE If CCC is still unable to validate the OTP, verify that the date / time and locale is properly synced with the server that is running CCC.
